CVE-2025-11563

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.

This flaw only affects the wcurl command line tool.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u14
not-affected
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
not-affected
bullseye (security)
7.74.0-1.3+deb11u16
fixed
forky
8.18.0-2
fixed
sid
8.19.0~rc2-2
fixed
trixie
8.14.1-2+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
plucky
ignored
questing
needed
trusty
not-affected
xenial
not-affected
References
https://curl.se/docs/CVE-2025-11563.html
https://curl.se/docs/CVE-2025-11563.json
http://www.openwall.com/lists/oss-security/2025/11/04/1